1 / 21

The University Information Security Policy & InfoSec one year on…

The University Information Security Policy & InfoSec one year on…. Tom Anstey Weatherall Institute of Molecular Medicine & InfoSec infosec@it.ox.ac.uk http://www.it.ox.ac.uk/infosec/infosecproject/. The need for a Policy!. OxCERT led a Information Security Self-Assessment in 2007-2009.

jadzia
Download Presentation

The University Information Security Policy & InfoSec one year on…

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The University Information Security Policy & InfoSec one year on… Tom Anstey Weatherall Institute of Molecular Medicine & InfoSec infosec@it.ox.ac.uk http://www.it.ox.ac.uk/infosec/infosecproject/

  2. The need for a Policy! OxCERT led a Information Security Self-Assessment in 2007-2009

  3. Information Security Best Practice 2009-2011

  4. Cookie legislationMay 2012

  5. Creating a University Policy (1)

  6. Creating a University Policy (2) + ICTF staff + Council Secretariat

  7. Creating a University Policy (3)

  8. Governance: Central -vs- Local • The University Policy tells you *what* to do - a local policy gives more on *how* you do it in your unit • The responsibility is devolved downwards, but if the correct local policies and risk assessments are in place and carried out, the responsibility for risk goes upwards • Creation of Information Security Advisory Group (ISAG) chaired by Emma Rampton in Council Secretariat; includes University Security Service, Conference of Colleges, ICTF, Academics & InfoSec

  9. Identify the problems – Risk Assessments

  10. Non-IT Security Includes liaison with: University Marshal Bio-Medical services Legal services Hospital trusts Personnel services Not just an IT issue Flowchart for data encryption could be used for paper waste destruction protocol.

  11. Whole Disk Encryption Finding a balance between security and usability.

  12. Lunchtime seminars • Each term • 5 speakers • 8 sessions

  13. InfoSec website and SharePoint

  14. Incident register

  15. Is guidance to IT Staff enough? • IT Staff don’t own the sensitive data • They don’t know what is stored, nor the associated risk • What about paper copies? Is it really IT’s problem?

  16. Divisional briefings to administrators This is where the power really is! They’re now on board and understand the need for improved practices, and a local policy. Improved understanding of a unit’s responsibility and liability.

  17. It’s in the Toolkit! Examples Explanations Encryption … easy to read! On-going work in progress Aims to meet ISO2007:2005 http://www.it.ox.ac.uk/infosec/istoolkit/

  18. Centre for the Protection of National Infrastructure Government cyber-security initiative Fits in with other ox.ac.uk academic work e.g. Andrew Martin, Sadie Creese et al.

  19. EPIC on-line training

  20. Post mortem discussions

  21. Summary • Provide proper management backing to get a unit policy into place • Increase user awareness and provide training to all users • Create information asset & risk registers and develop a business continuity plan for disaster recovery. Start on high impact areas. • Manage mobile devices, and encrypt laptop hard disks and devices containing sensitive data, or provide secure remote access • Purchase and issue encrypted devices that allow managed password recovery to those needing to remove sensitive data • Act on your risk assessments. Give a reasonable timescale for implementation; it is a culture change

More Related